We have come a long way since the beginning of e-mail and its essential role in the four corners of the Internet . Today, e-mail is the lifeline between brands and consumers – transactional e-mail helps close the loop of user-initiated transactions, limiting the time that both parties have to spend. exhausted. Password resets have automated the basic function of customer service. Believe it or not, the wait times on the phones were long to change your password or to access an application that was blocking you. According to Forrester research a call service asking for password reset can handle a business at $ 70 per call!
Meanwhile, two-factor authentication combining mobile applications, user-designated PII information, and, on occasion, e-mail has enhanced the security of critical applications and services . Email is not only the means by which the Internet is built – allowing collaboration between remote parties – but it has become the very foundation of digital identity, in addition to the most reliable document store , personalized and universal to the world.
Read the first part of this series: The humble beginnings of e-mail and the birth of spy pixels
The rise of spam
When the commercial use of the Internet became more than a mere idea (Amazon was launched in 1994), the potential exploits of electronic mail became equally evident as that more and more people were starting to use the support.
The Engineering of Email Technology e-mail indicated that it was essentially an open, standard platform when it was built. Authentication did not exist because the idea of trusting the sender of a message was a fact of life because of the university senders and the email user base. The e-mail spawners could not have imagined the prolific use of this medium today – the sheer size and speed of e-mail communications is staggering. But this openness and scope is precisely what has driven fraudsters and cybercriminals to abuse the channel.
The term spam was coined in 1993 – not with reference to an email, but in connection with messages posted in USENET quite accidentally at first, but then maliciously. Soon, this term has been applied to all forms of unwanted commercial electronic mail (UCE). In the late 1990s, e-mail spam was a major problem and several different approaches were used to try to limit its growing volume. Companies such as MAPS are born to identify and list spam sources (IP addresses and mail servers) generating millions of unwanted messages. Software such as SpamAssassin was released in 2001 as a set of standard filters to identify spam sent to a destination domain. Internet service providers and mailbox providers have begun to keep an eye on IP addresses sending massive amounts of spam to identify and stop them at their source, even temporarily.
As you can imagine, these measures helped, but the attack continued almost uninterrupted. nowadays. It was estimated that nine out of ten messages at the time were spam. This metric is more or less unchanged today. Some measures, such as Talos from Cisco, increase this ratio to 85% spam and 15% legitimate email; others say that legitimate e-mail accounts for less than 10% of the total volume of global e-mail. Regardless of the actual number of people, spammers who send more mail than legitimate marketers are unbalanced.
Image Source: Metric Reports of the Working Group on malicious software for mobile anti-abuse
With the rise of spam, new technologies and methods of treatment have become important and essential on the Internet. First of all, the US Congress tried this by adopting the 2003 CAN-SPAM law. This reinforced the abuse of the mail, but did not have the deleterious effect that the defenders of the spam and the crusaders hoped. AOL has developed a technology that allows users to identify and report spam in the form of a "spam button" at about the same time. As we know, this has been ubiquitous in every email client on the planet since then.
The birth of the spam button was due, at least in part, to the way spammers abused and subverted the legitimate use of unsubscribe buttons. Prior to CAN-SPAM, the unsubscribe link was not included in all legitimate emails. However, legitimate senders and spam used this feature and, over time, recipients understood that clicking on an unsubscribe link did not always provide the desired result. When the link was no longer reliable, he simply notified a spammer that the recipient of that email was a live person. Spammers launching dictionary attacks would include unsubscribe links to determine whether the randomly generated recipient existed and to help present their messages as legitimate.
It took many years, but the unsubscribe link has become trust again. Not only has it become reliable, but mailbox providers are also actively using the list header to create an unsubscribe feature at the top of an e-mail. Professional advice: do not bury your unsubscribe link. Recipients have many ways to not receive communications. allowing them to unsubscribe is by far cleaner and less detrimental to your shipping reputation. By obscuring the footer text and making it hard to find, you force them to mark your message as an unwanted message, or worse, as a hook of pure frustration.
A New Framework Is Born
Around 2004, the final specification of SPF ( Sender Policy Framework ) was published, creating the beginning of a trustworthy concept between senders and recipients of emails. SPF allows to allow, via a DNS record, an IP address to be sent on behalf of a domain. SPF was a good start, but spammers are now releasing SPF records because it was not a foolproof solution to the growing volume of spam. Receiving domains could make more informed decisions about the origins of a given message, but the problem was not a panacea.
At the time of publication of SPF, a second standard was in preparation: DKIM ( DomainKeys Identified Mail ), which was a cryptographic solution to ensure that the content was not not falsified during the transport of the message. Creating standards on the origin of the message and its content when it is received rather than when it is sent helps us a lot in establishing the reliability of a particular email and the sending sender. But again, it was not a complete and comprehensive solution to the global spam epidemic.
DKIM, with SPF, became the foundation of DMARC ( Authentication, Reporting, and Compliance of Domain-Based Messages ]) in 2011. DMARC allows the sender of An email to create a set of instructions for the destination domain on what to do if the message fails an SPF or DKIM check. This policy makes it very difficult to usurp brands and send fraudulent messages to unsuspecting recipients, or misappropriation of content elements to trick the filters. If a message fails either or both of the messages, the DMARC record may tell the recipient domain to reject the message and not deliver it. In addition, the DMARC forensic reports sent back to the authors of the messages helped them to identify the places where they are geographically unwelcome, creating a greater awareness of brand vulnerabilities in the marketplace.
About the Author
Len Shneyder is a 15-year veteran of electronic mail and digital messaging and vice president of industrial relations at SendGrid . Len is an evangelist and a supporter of best practices. He leads thought leadership and gives insight into industry trends based on data, based on the sheer volume of emails sent by SendGrid on behalf of their clients. Len represents SendGrid on the board of the M3AAWG (Messaging, Malware, Mobile Anti-Abuse working group) as vice president, and co-chairs the program committee. He is also a member of the EWC (EMEA), where he serves as vice president of the organization. The ECE is a professional organization focused on promoting best practices in e-mail marketing. The EEC is part of the DMA (American Direct Marketing Association), a nearly 100-year-old organization where it also sits on the ethics committee. In addition, Len worked closely with the Email Sender & Provider Coalition (ESPC) on issues related to data privacy and email deliverability.